Welcome, Guest. Please login or register.

Login with username, password and session length

 
Advanced search

1411512 Posts in 69376 Topics- by 58430 Members - Latest Member: Jesse Webb

April 26, 2024, 03:37:27 PM

Need hosting? Check out Digital Ocean
(more details in this thread)
TIGSource ForumsCommunityTownhallForum IssuesSecurity Problem: password was emailed to me in plaintext
« previous next »
Pages: [1]
Print
Author Topic: Security Problem: password was emailed to me in plaintext  (Read 5159 times)
Shaun LeBron
Level 0
*



View Profile WWW
« on: November 15, 2013, 01:52:22 PM »
I just registered with this forum, and it appears my password was stored in plaintext, at least until it was emailed to me.  That is not okay.

A hashed password should be stored, never the password itself.

I will refer to this discussion for more details:
http://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure

Is this the correct channel for communicating this security issue?
Logged
Christian Knudsen
Level 10
*****



View Profile WWW
« Reply #1 on: November 15, 2013, 02:29:31 PM »
I believe SMF 1.1.17 stores hashed passwords.
Logged
Laserbrain Studios
Currently working on Hidden Asset (TIGSource DevLog)
Kemp
Level 0
*


View Profile
« Reply #2 on: April 11, 2015, 01:57:25 AM »
Sorry about necro'ing this thread, but this isn't exactly an active forum anyway Smiley

This was my concern as well and I'm glad someone else has already pointed this out. Historically, sites that have emailed out passwords (other than randomly generated temporary ones) have done very *very* badly on security.

Storing the password in hashed form is an absolute requirement, so I hope "I believe" means you've confirmed that it does. Sending out in plain text in an email is still bad form though, as it's open to very simple interception, not to mention someone simply looking over your shoulder or looking at an email on a device you left logged in.

I would strongly encourage you to stop sending out the password and to be sure that passwords are not stored in plain text.
Logged
Christian Knudsen
Level 10
*****



View Profile WWW
« Reply #3 on: April 11, 2015, 07:26:34 AM »
Quote from: Kemp on April 11, 2015, 01:57:25 AM
Historically, sites that have emailed out passwords (other than randomly generated temporary ones) have done very *very* badly on security.

I often see SMF forum software mentioned as some of the most secure.

Quote from: Kemp on April 11, 2015, 01:57:25 AM
Storing the password in hashed form is an absolute requirement, so I hope "I believe" means you've confirmed that it does.

It means that SMF by default hashes and salts passwords (this information is easy to find by googling), but I'm not the admin of this forum (though I don't see why anybody would change that default behaviour to something worse).

Sending user-generated passwords in emails is bad form, though (newer versions of SMF don't do this).
Logged
Laserbrain Studios
Currently working on Hidden Asset (TIGSource DevLog)
Matthew
Rapture
Administrator
Level 3
******


Milling About


View Profile WWW
« Reply #4 on: April 20, 2015, 10:08:32 PM »
Yes, passwords are emailed to you in plaintext by the forum software when you register.  I guess SMF devs had their reasons for doing that, although it is a weird choice.

No, your password is not stored in plaintext, but in a hashed+salted fashion with SHA-1 (you cannot, for instance, have your password emailed to you at a later time if you forget your password).
Logged
Matthew Wegner
Currently: Aztez
Founder, Flashbang Studios
Partner, Indie Fund
Editor, Fun-Motion
Co-Chair, IGF
Pages: [1]
Print
« previous next »
Jump to:  

Theme orange-lt created by panic